Draft. This document is published as a working draft pending legal review. The final version may differ in scope, language, or specific provisions. Last updated: 2 May 2026.
01 Overview

Your rights at a glance

Under UK GDPR (and EU GDPR, for data subjects in EU member states), you have the following rights over the personal data Vendably Trust processes about you:

  • Right of access (Article 15): request a copy of the personal data we hold about you, including your reviews, invitation history, and moderation history.
  • Right to rectification (Article 16): ask us to correct inaccurate personal data we hold about you.
  • Right to erasure (Article 17, the right to be forgotten): request deletion or anonymisation of your personal data in certain circumstances.
  • Right to restriction of processing (Article 18): ask us to pause processing of your data while a complaint or dispute is being investigated.
  • Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): object to processing of your data on the basis of legitimate interests.
  • Right not to be subject to solely automated decision-making (Article 22): know when a decision that affects you has been made solely by automated means, and in certain cases, request human review.
  • Right to lodge a complaint: complain to the ICO (or your country's supervisory authority) if you believe we have handled your data unlawfully.

Each right is explained in more detail in the sections below.

02 Access

Right of access

You have the right to request a copy of the personal data Vendably Trust holds about you. This is called a Subject Access Request (SAR).

What we will provide

  • Copies of all reviews you have submitted
  • Your invitation history (which invitations you have received and which you have acted on)
  • Your moderation history (if any of your reviews have been held, flagged, or removed)
  • Your account metadata (name, email, country, language preference)

What we will not provide

  • Personal data relating to third parties
  • Ongoing moderation reasoning where providing it would prejudice an active investigation (for example, details of a fraud detection process that is still open)

Timescales

We will respond within 1 month. For complex or numerous requests, we may extend this by a further 2 months, and we will let you know within the first month if an extension is needed.

There is no fee for a SAR, unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to respond.

03 Erasure

Right to erasure

The right to erasure (also called the right to be forgotten) allows you to request deletion or anonymisation of your personal data in certain circumstances.

What you can request erasure of

  • Your reviewer name and email address
  • Your country and language data
  • Your IP address and user agent from access logs
  • Any draft reviews you have not yet submitted

Published reviews

Published reviews present a more complex case. A published review is a public statement that other shoppers rely on when making purchasing decisions. Outright deletion would remove information that is relevant to others.

Our standard approach for published reviews is anonymisation: we will replace your reviewer name with "Verified reviewer" and remove any identifying information from the review text, so that the review itself remains published but is no longer attributed to you.

Full removal of the review content is available where:

  • The review itself is unlawful (for example, it contains your own personal data included without your consent, or it has been determined to be defamatory)
  • You withdraw your consent and there is no other lawful basis for processing
  • The review was submitted in error and has not yet been relied upon by others (we treat this case-by-case and early requests are more likely to be accommodated)

When erasure does not apply

  • Data we are required to retain by law, for example moderation audit logs that may be needed as evidence in legal proceedings
  • Data we need to exercise or defend a legal claim
  • The statistical contribution of a verified review to the merchant's aggregate score (the rating value is retained in anonymised aggregate form even after erasure of the reviewer's identity)
04 Rectification

Right to rectification

You have the right to ask us to correct any inaccurate personal data we hold about you.

The following can be corrected at any time on request:

  • Your reviewer name
  • Your email address
  • Your country
  • Your language preference

Review content (the text and rating of a published review) can be edited only within the 24-hour edit window after publication, as described in our methodology. After the edit window closes, review content is locked. If you believe your review contains a factual error that affects others, contact us and we will consider the request case-by-case.

05 Portability

Right to data portability

You have the right to receive a copy of the personal data you have provided to Vendably Trust in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

We can provide your data export in JSON or CSV format, containing your reviews and account metadata. There is no charge for this. We will fulfil the request within 1 month.

To request a portable data export, contact us using the details at How to exercise your rights.

06 Object

Right to object

You have the right to object to processing of your personal data where that processing is based on legitimate interests (Article 6(1)(f) UK GDPR). Where you object, we will stop processing your data for that purpose unless we have compelling legitimate grounds for continuing that override your interests, rights, and freedoms, or unless we need to continue for the establishment, exercise, or defence of a legal claim.

Where we process your data for direct marketing purposes, you can object at any time and we will stop immediately, without needing to justify our decision.

To exercise your right to object, contact us using the details at How to exercise your rights.

07 Automated decisions

Automated decision-making

Vendably Trust uses automated moderation to assess every submitted review before publication. This is not solely automated decision-making in all cases:

  • For the most serious categories of content, including suspected defamation, threats, illegal content, and PII belonging to third parties, the automated pipeline holds the review and flags it for mandatory manual review by a member of the Vendably moderation team. Auto-moderation does not remove these reviews on its own.
  • For profanity and spam, auto-moderation may remove a review without prior manual review. Where this happens, you have the right to appeal the decision. See our Content Guidelines for the appeals process.

No decision about access to other services, credit, or employment is made based solely on automated processing by Vendably Trust. The only decisions made are about the publication status of reviews you have submitted.

If you believe an automated moderation decision has incorrectly removed your review, you can appeal using the process described in our Content Guidelines, or contact us directly.

08 Exercising your rights

How to exercise your rights

To exercise any of the rights described on this page, send an email to: [TODO: privacy@vendably.com or whichever DPO contact email].

Please include:

  • Your full name
  • The email address you used to submit reviews on Vendably Trust
  • The right you are exercising (for example: access request, erasure request, portability request)
  • A brief description of what you would like us to do (for example: delete my reviewer name from all published reviews; provide a copy of all my data in JSON format)

We will respond within 1 month. For erasure requests relating to published reviews, we may need to verify your identity before acting, particularly where removing or anonymising a review would affect a third party (for example, where the merchant may dispute the erasure). We will contact you if we need additional verification.

09 Complaints

Complaints to the ICO

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

If you are located in an EU member state, you also have the right to lodge a complaint with the data protection authority in your country of residence. A full list of EU supervisory authorities is available at edpb.europa.eu.

We ask that you contact us first before lodging a complaint with a supervisory authority, as we may be able to resolve the issue directly.

10 Our DPO

Our Data Protection Officer

Our Data Protection Officer (DPO) is responsible for overseeing Vendably's compliance with data protection law and acts as an escalation point for data subject concerns.

Contact the DPO at: [TODO: confirm DPO contact: separate DPO contact email or same as privacy@vendably.com?].

11 More information

More information

For full details on how Vendably Trust collects, uses, and shares your personal data, including sub-processors, retention periods, and international transfers, see our Privacy Policy.

For general terms of use of trust.vendably.com, see our Terms of Use.

For data protection matters relating to the Vendably platform (merchant tools, billing, DataHub), see the Vendably platform privacy policy at vendably.com/privacy/.